Description
Unauthenticated Broken Access Control in AI Product Search for WooCommerce &#8211; Motive Commerce Search <= 1.38.2 versions.
Published: 2026-06-15
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated broken access control flaw in the AI Product Search for WooCommerce plugin (Motive Commerce Search) versions 1.38.2 and earlier. An attacker can exploit this weakness by sending crafted HTTP requests to the plugin’s administrative endpoints, bypassing authentication checks and retrieving or manipulating sensitive data. The flaw directly undermines the confidentiality and integrity of a WordPress site, potentially exposing product details, user information, or configuration settings that should be restricted to authorized administrators.

Affected Systems

Any WordPress installation that includes the Motive Commerce Search plugin version 1.38.2 or earlier is affected. The vulnerability is specific to this plugin and does not extend to other WooCommerce or WordPress components unless they are configured to expose the same functionality.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity. The EPSS score is below 1%, suggesting that while the vulnerability is serious, the likelihood of exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires no additional privileges; an unauthenticated attacker can craft requests to trigger the broken access control. The risk is primarily the potential unauthorized data disclosure or modification gained by exploiting the exposed endpoints.

Generated by OpenCVE AI on June 18, 2026 at 00:44 UTC.

Remediation

Vendor Solution

Update the WordPress AI Product Search for WooCommerce &#8211; Motive Commerce Search Plugin to the latest available version (at least 1.38.3).


OpenCVE Recommended Actions

  • Upgrade the Motive Commerce Search plugin to version 1.38.3 or newer, following the vendor’s official recommendation.
  • Restrict access to the plugin’s admin pages by ensuring only users with the Administrator role can view or modify search settings, thereby enforcing the principle of least privilege.
  • Audit user roles and capabilities on the site to confirm no non‑admin users possess capabilities that could access the plugin’s administrative endpoints or search functionality.

Generated by OpenCVE AI on June 18, 2026 at 00:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Motive Commerce Search
Motive Commerce Search ai Product Search For Woocommerce &#8211; Motive Commerce Search
Wordpress
Wordpress wordpress
Vendors & Products Motive Commerce Search
Motive Commerce Search ai Product Search For Woocommerce &#8211; Motive Commerce Search
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Access Control in AI Product Search for WooCommerce &#8211; Motive Commerce Search <= 1.38.2 versions.
Title WordPress AI Product Search for WooCommerce – Motive Commerce Search plugin <= 1.38.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}


Subscriptions

Motive Commerce Search Ai Product Search For Woocommerce &#8211; Motive Commerce Search
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T12:29:55.738Z

Reserved: 2026-04-29T09:04:47.838Z

Link: CVE-2026-42664

cve-icon Vulnrichment

Updated: 2026-06-16T12:29:49.978Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:56.163

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-42664

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:07:06Z

Weaknesses